WordPress’ core development team disclosed that a recent update of the content management system (CMS) silently patched a severe vulnerability. The users of WordPress are encouraged making to make sure that they are using the recent update to version 4.7.2, as otherwise their site could be snatched.
The dangerous code injection vulnerability was discovered by a website security company – Sucuri, which says if exploited, it can allow an unauthenticated user to modify the content of any WordPress post or page. It was reported privately to the WordPress team on January 20. This resulted as a bad news for many websites like Fortune, USA Today, Time and even tech companies like Microsoft, Facebook and IBM and many other websites.
Using those sites to spread negative information – or even just subvert their credibility by trashing them – may lead to problems. Sucuri revealed the vulnerability to the WordPress Security team, who used to be said to have handled it extremely well and worked with Sucuri to “coordinate the disclosure timeline and get as many hosts and security providers aware and patched before this became public,” according to Sucuri.
WordPress then worked with other companies to assure about the vulnerability doesn’t get exploited, once they reveal. That can even create a problem with many service, as people do not always update their software right away, that is when the security issue is disclosed with the patch that is used to fix, attackers have been told how to break into non-updated systems. WordPress even contacted security companies, hosts and other to stop that happening.
The three security vulnerabilities were mentioned in the release WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed. WordPress 4.7.2 was debuted on January 26 and the vulnerability was disclosed on February 1. It took enough time for many WordPress developer users to update their systems . WordPress gave an explanation, for its delay,
“By Wednesday afternoon, most of the hosts we worked with had protections in place. Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.
On Thursday, January 26, we released WordPress 4.7.2 to the world. The release went out over our auto update system and, over a couple of hours, millions of WordPress 4.7.x users were protected without knowing about the issue or taking any action at all.”
The users of WordPress are advised to update the latest version 4.7.2 as soon as possible. Even handling this issue carefully, and the response from companies like Sucuri and WordPress hosts, they are still bound to many WordPress developed websites that are still affected by this vulnerability.